Authorization: An individual's written permission (signed by the individual or his/her Personal Representative) to allow a covered entity to use/disclose specified PHI for a particular research study. Except as otherwise permitted by the HIPAA Privacy Rule, a covered entity may not use or disclose PHI for research purposes without a valid Authorization.
Accounting for Disclosures of PHI: Information that describes a covered entity's disclosure of PHI that has taken place within six (6) years of the date of the request (excluding any disclosures taking place prior to the Compliance Date). Accounting of disclosures is not required in the following situations:
- disclosures for treatment, payment, and health care operations ("TPO")
- disclosures made pursuant to valid Authorizations
- disclosure of Limited Data Sets
- disclosure of de-identified data
- disclosures of PHI prior to April 14, 2003
Covered Entity:
- A health plan,
- A health care clearinghouse, and
- A health care provider who transmits any health information in electronic form (once deemed a covered entity, any PHI regardless of format, e.g., print or electronic, is subject to the HIPAA Privacy Rule)
Data Use Agreement (DUA): An agreement pertaining to a Limited Data Set (LDS) that specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure, and restricts re-identification of the individual or contact with the individuals. (This agreement may take the form of a formal contract or of a confidentiality agreement).
De-Identified Data: Data that does not identify an individual and with respect to which there is no reasonable basis to believe that information within the data can be used to identify an individual.
The Privacy Rule provides two routes by which data may be de-identified. The first route is to remove a list of all eighteen (18) direct identifiers (see below) that could be used to identify the individual; a relative of the individual; employer; or household members of the individual. These identifiers are enumerated in the HIPAA Privacy Rule. The second route is to obtain the services of an expert who can determine and document, using generally accepted statistical and scientific principles and methods, that there is only a 'very small' risk that the information in a data set could be used to identify the subject of the information.
Direct Identifiers:
- Names
- All geographical subdivisions smaller than a state, including street address, city, county, precinct, Zip Code, and their equivalent geographical codes, except for the initial three digits of a Zip Code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
- The initial three digits of a ZIP Code for all such geographic units containing 20, 000 or fewer people are changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
- Telephone numbers
- Facsimile numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health Plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web universal resource locators (URLs)
- Internet protocol (IP) address numbers
- Biometric identifiers, including fingerprints and voiceprints
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
Disclosure: The release, transfer, access to, or divulging of PHI in any manner outside the covered entity holding the PHI.
Individually Identifiable Health Information: Information that includes demographic information collected from an individual, and
- is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Limited Data Set (LDS): A data set that excludes the majority of the eighteen (18) direct identifiers of the individual, relative, employers and/or household members of the individual. In a limited data set, certain geographic information smaller than a state (e.g., city, state, full ZIP code), and dates directly related to an individual (e.g., birth date, admission date, discharge date, service dates) may be retained.
Limited data sets can be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or IRB waiver or an alteration of Authorization for its use and disclosure, so long as a Data Use Agreement (DUA) is in place. IRB review and approval of the study is still however required.
Minimal Risk to the Privacy of the Individual: The amount of risk, harm or discomfort, that an individual will ordinarily encounter in day-to-day activities.
Personal Representative: A person who is legally authorized to act on behalf of an individual in making health care related decisions, including signing an Authorization.
Privacy Board: A Board that is established to review and approve requests for waivers or alterations of Authorizations in connection with a use or disclosure of PHI.
A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual's privacy rights and related interests. The Board must include at least one member who is not affiliated with either the covered component (covered entity) or with the entity that is conducting or sponsoring the research, and not related to any person who is affiliated with any such entities. Also, it must not have any member participating in a review of any project in which the member has a conflict of interest. The FSU IRB does not serve as a Privacy Board with regard to any waiver of Authorization for non-FSU PHI for research purposes.
Protected Health Information (PHI): Individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Education records covered by FERPA, and employment records held by a 'covered entity' in its role as an employer, are excluded from this definition.
Research: A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research.
Reviews Preparatory to Research: Using/reviewing PHI for the purposes of developing a research protocol or a similar activity in preparation of formulating a research hypothesis. This may include review of PHI to ascertain eligibility of individuals as prospective human research participants (human subjects).
Use: The sharing, application, utilization, examination, analysis, or employment of Individually Identifiable Health Information within an entity that maintains such information.
Waiver, Partial Waiver or Alteration of Authorization: The document by which an IRB or Privacy Board has documented approval of a request to waive or alter the requirements of the HIPAA Privacy Rule for a valid Authorization for the use and/or disclosure of PHI.